[ Thursday, December 11, 2003 ]


Healthcare, Privacy, and Omelets.

I can't remember if I mentioned it when it happened, but back in April, a group of privacy organizations, including Citizens for Health, filed suit against the US Department of Health and Human Services to stop implementation of the Privacy Rule. As you know, the two big anti-HIPAA cases in South Carolina and Houston have been shot down by federal judges. Those cases challenged the HIPAA regulations as being an unconstitutional delegation of legislative authority to a regulatory body and violating citizens' right to privacy (since covered entities must give HHS access to any PHI it asks for). This case, oral arguments on which were just heard in Philadelphia, focuses on the consent requirement that was in the original HIPAA privacy regulations but which was deleted from the final regulations.

Under the original regulations, disclosures for treatment, payment, or operations would need the consent of the patient, while other disclosures would need the patient's authorization. A dichotomy was established between levels of approval: a consent for regular and expected disclosures, and a more-onerous authorization for irregular or unusual disclosures. The problem with this is that much of the use of PHI in the actual provision and payment for healthcare is by parties that don't have access to the patient to get a consent. For example, under the original rules, if a physician refers a patient to a specialist or calls in an order to a pharmacy, the specialist and pharmacist can't even review the information until the patient shows up and signs a consent. This unworkability is why the consent requirement was removed.

The plaintiffs argue in this case that any of your information (HIV status, sexual orientation, etc.) can be disclosed without a consent; that's true, if the disclosure is for treatment, payment or healthcare operations; however, if the disclosure is for payment or operations, the "minimum necessary" rule still applies. Therefore, if there's no need for the disclosure for payment to occur (or for utilization review, quality management, or any other type of activity constituting "healthcare operations"), then it is already against the rules to make that disclosure. The minimum necessary rule does not apply to treatment, for good reason: you don't want one provider to fail to disclose information to another provider that might turn out to be a matter of life or death, and you sure don't want providers refusing to share information because they're afraid of who might come along later looking over their shoulder for a HIPAA violation.

You can't make an omelet without breaking some eggs. I've said it before, but you can't have good healthcare if the providers and other participants in the system can't share information. The best healthcare comes when there is the most free disclosure of information. Of course, on the other hand, the best privacy comes with the least disclosure of information. The best way to keep information from being disclosed is to not tell anyone about it. If you refuse to allow your doctor to test your blood, nobody would ever know about your HIV status. You won't get any healthcare that way; your doctor won't be able to treat you (or at least won't be able to treat you well) without getting (and using and disclosing) some information from you.

The trick of getting HIPAA right (from a regulatory standpoint) is to balance the need for openness and information exchange necessary to generate good healthcare with the desire for closedness and information protection necessary to ensure privacy. Should a provider be allowed to disclose your information without your consent? No. But must that consent be in writing and specific, or can a provider rely simply on the fact that you're coming to him for care be proof of your consent?

You have the right to prevent any provider from disclosing any of your PHI: just don't tell them about it. If you never see a doctor, no doctor will ever disclose your PHI. But if you want care, you have to recognize that your PHI will be seen, used, and disclosed.

If you want to eat the omelet, you can't complain that some of the eggs get broken.

Jeff [10:34 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template